A Channel News Asia report dated 16 June 2026 highlighted a Small Claims Tribunal (SCT) case involving a consumer who suffered losses from a phishing scam. The consumer’s credit card had been fraudulently added to a scammer’s digital wallet. The SCT determined that the consumer bore the loss, as multiple bank alerts were ignored, amounting to gross negligence.
1. Background
The claimant lost over S$3,800 after falling victim to a phishing scam and, although a partial amount was recovered, sought the remaining balance through the SCT. The SCT dismissed the claim against the bank, finding that the claimant’s repeated inaction despite multiple warnings constituted gross negligence.
2. How the Scam Worked (Tokenisation)
Scammers obtained the victim’s credit card number, expiry date and security code. These details were input into a digital wallet on the scammer’s device. A process called tokenisation converted the card details into a digital credential linked to the scammer’s device. Authentication (e.g. OTP) was required, which scammers typically obtain through phishing. Once completed, the scammer could make unauthorised transactions using the tokenised card.
3. Case Overview and Key Facts
The claimant’s card was added to a digital wallet without his knowledge. The bank sent OTP request notifications, confirmation alerts and subsequent alerts over several days. The claimant did not take any action despite receiving these alerts and ignored them as he thought they had no relevance to him since he was not a user of Apple Pay. Subsequently, multiple unauthorised transactions were made using the card.
4. Tribunal’s Findings
The claimant’s failure to act on repeated alerts constituted a sustained course of omissions that fell significantly below the standard of reasonable care expected of a cardholder. This conduct was assessed as gross negligence, resulting in the claimant bearing the loss.
5. Key Takeaways
Phishing scams may involve tokenisation into digital wallets, allowing scammers to bypass traditional card usage.
OTP or authentication credentials remain critical. If compromised, scams can succeed even with security measures.
6. Practical Guidance for Consumers
DO NOT
Click on suspicious advertisements or links requesting payment details.
Disclose OTPs or card details to unknown sources.
Ignore bank alerts and promptly act on suspicious notifications from banks.
DO
Immediately contact the bank if:
1. You receive OTPs that you did not request; or
2. You receive alerts for unknown transactions or wallet provisioning.
Enable real-time transaction alerts where possible.
Read the full story here (Man lost S$3,800 in card phishing scam after clicking on TikTok ad; tribunal finds him liable, not bank - CNA).